For the past week I’ve been tracking my girlfriend through her mobile phone. I can see exactly where she is, at any time of day or night, within 150 yards, as long as her phone is on. It has been very interesting to find out about her day. Now I’m going to tell you how I did it.

First, though, I ought to point out, that my girlfriend is a journalist, that I had her permission (“in principle …”) and that this was all in the name of science, bagging a Pulitzer and paying the school fees. You have nothing to worry about, or at least not from me.

Article continues
But back to business. First I had to get hold of her phone. It wasn’t difficult. We live together and she has no reason not to trust me, so she often leaves it lying around. And, after all, I only needed it for five minutes.

I unplugged her phone and took it upstairs to register it on a website I had been told about. It looks as if the service is mainly for tracking stock and staff movements: the Guardian, rather sensibly, doesn’t want me to tell you any more than that. I ticked the website’s terms and conditions without reading them, put in my debit card details, and bought 25 GSM Credits for Â£5 plus vat.

Almost immediately, my girlfriend’s phone vibrated with a new text message. “Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with ‘LOCATE'”. I sent the requested reply. The phone vibrated again. A second text arrived: “WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you.” I deleted both these text messages.

On the website, I see the familiar number in my list of “GSM devices” and I click “locate”. A map appears of the area in which we live, with a person-shaped blob in the middle, roughly 100 yards from our home. The phone doesn’t go off at all. There is no trace of what I’m doing on her phone. I can’t quite believe my eyes: I knew that the police could do this, and telecommunications companies, but not any old random person with five minutes access to someone else’s phone. I can’t find anything in her mobile that could possibly let her know that I’m checking her location. As devious systems go, it’s foolproof. I set up the website to track her at regular intervals, take a snapshot of her whereabouts automatically, every half hour, and plot her path on the map, so that I can view it at my leisure. It felt, I have to say, exceedingly wrong.

By the time my better half got home, I was so childishly over-excited that I managed to keep all of this secret for precisely 30 seconds. And to my disappointment, she wasn’t even slightly freaked out. I don’t know if that says good or bad things about our relationship and I wouldn’t want you to come away thinking it’s all a bit “Mr & Mrs Smith” around here. Having said that, we came up with at least five new uses for this technology between us in a few minutes, all far more sinister than anything I had managed to concoct on my own.

And that, for me, was the clincher. Your mobile phone company could make money from selling information about your location to the companies that offer this service. If you have any reason to suspect that your phone might have been out of your sight, even for five minutes, and there is anyone who might want to track you: call your phone company and ask it to find out if there is a trace on your phone. Anybody could be watching you. It could be me.

++++++++++++++++++++++++++++++++++++++++++
If you like what I do, and you want me to do more, you can: buy my books Bad Science and Bad Pharma, give them to your friends, put them on your reading list, employ me to do a talk, or tweet this article to your friends. Thanks!
++++++++++++++++++++++++++++++++++++++++++

65 Responses

Teek said,

what worries me is the ease with which anyone can use this type of service.

folks already use all sorts of ways to keep a track on those they care about/are suspicious of, but with specific positional information available it’s much easier to keep tabs on people without them knowing. which in itself might not be the worst thing, but what happens when corporations buy this info and follow their customers/clients in order to gain info about their activities? databases made from loyalty cards are bad enough, but if companies can tell exactly where we are every day of the week, that scares me a great deal more!!

lo said,

Just remember that you are not tracking a person, you are tracking a phone.
Put your phone in the train to Paris, and use the other one you just bought yesterday.
(By the way, how does the location work, when one change country ?)

Ian said,

PC Plod: Hello, miss ?
Ben’s Ex-Girlfriend: I think I am being stalked by my ex-boyfriend.
Plod: Really ?
BxG: Yes, he seems to somehow know where I am all the time, and keeps appearing.
Plod: Hmm, have you got a mobile phone, miss ?
BxG: Why, yes.
Plod: Can I have the number, please ?
BxG:
Plod: ‘scuse me a second, miss.

Plod: Hello ? Mobile Phone Company Limited ? Yes, this is the police, please tell me any traces on mobile number

Plod: Hello ? Stalkers-R-Us Mobile Tracing ? Yes, this is the police, I understand you have a trace on mobile number , would you kindly give the debit or credit card associated with that trace ?

Plod: Hello ? Mastercard ? This is the police, can you give the owner and address of the following credit card …

Plod: That would be a Mr Goldacre of , would it, miss ?
BxG: Why yes, that’s him, that’s right, how ever did you find out so quickly ?
Plod: Easy miss, some idiot who thinks he can commit a crime without being traced, we’ll have him in the cells tonight and he can explain how and why he got a trace on your phone to the judge tomorrow morning, with luck he’ll be on the sex offenders register by next week.
BxG: You doing anything tonight ?

[…] Ben Goldacre: How I stalked my girlfriend. I am usually quite ambivalent about security issues with technology (there are people who would probably throw up their arms and shriek about the security implications if paper and pencils were invented yesterday) — but this is really scary. […]

I understand that the mobile networks in the UK have agreed guidelines with the Home Office to regulate the use of a service like this. One of the guidelines requires that regular sms messages are sent to the phone being tracked to inform them of the situation. I’d be interested to know if Ben’s girlfriend received any of these texts.

We were wondering about the second text (â€œWARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you.â€) Did this have any contact information on it? Can you tell the company to cancel the tracking if you are the phone owner? Will they give the phone owner the name of the person who set up the tracking? Or by someone sending the ‘locate’ text on the phone have you just signed away any right to get the thing cancelled? The point in asking is that even if they sent regular texts rather than just one, if your only option is to either go to the police or get a new phone it’s not much of an improvement.

(note that this is a US article so the legal discussion doesn’t necessarily apply in the UK)

it sounds even more dodgy. If the police/intelligence agencies need to go through that many steps for permission to get the tracking data off mobile phone companies, then the idea that an ordinary person can do it in two steps is dubious at best.

Can any lawyers clarify this? On the basis of a few other Register stories on stalking by GPS, it appears to be illegal to track someone without their permission this way.

Mark said,

To Ian, and others who think it’s too easy to get caught: The scenario presented, whereby the police simply check all phone-trace services to find any traces, is very simplistic.

For one thing, it assumes that the stalkee is even aware of the stalker before it’s too late and something bad has happened.
For another thing, it assumes that the stalker isn’t even sophisticated enough to use fake billing information, such as a stolen credit-card. Heck, if you have access to someone’s phone long enough to set up this service, isn’t it also likely that you might be able to steal their wallet and get their credit-card for 5 minutes as well? Granted, they might check their statement, but then, they might not. And by then it might be too late anyway.

A service like this really needs to provide some mechanism for the stalkee to opt out of the service permanently, as well as continuous updates of the status of any current traces.

“A service like this really needs to provide some mechanism for the stalkee to opt out of the service permanently, as well as continuous updates of the status of any current traces.”

That is what the code of practice essentially recommends for people tracking, but it appears to be far less stringent for companies claiming they want to use it to track goods or delivery vehicles. We doubt there is any way to enforce the code of practice other than bad publicity for companies that don’t follow it.

The code of practice says that the stalkee (they call it locatee, but same thing) should be sent regular random texts saying the service is active, they should be able to cancel it at any time and they should be told who the stalker (locator as they call it) is.

You’re in danger of creating exactly the same sort of “evil technology beyond our control” type of story that you would normally take as an invitation by the author to rip their argument apart.
I agree that the security right now is laughable at best but there is a clear implication in your story that you could have carried on tracking your girlfriend like this for weeks; you make no mention that the service will send a text message to the phone at random intervals warning the owner that they are being tracked. No, that may not prevent the situation you describe but it does indicate that the company is at least aware that conformation when you sign up isn’t enough.
You imply that the company doesn’t care about privacy when in practice they are just hopelessly naive and simplistic in their safeguards.

JonnyW said,

re the code The code of conduct on spikedonline posted by amoebicvodka.
I notice that the frequency of the random text messages to alert the tracked phone is covered by Annex D. Got to Annex D â€œConfidential Annexâ€ !

Also after hearing Bens Radio 4 piece last week I rang orange to ask if my phone was being or ever has been tracked. The person I spoke to didnâ€™t have a clue what I was talking about and couldnâ€™t tell me, they certainly werenâ€™t ware of such tracking service and when a pointed him to a couple of web sites he seemed a little worried himself all of which some how doesnâ€™t seem to reassuring.

Moving on I have also heard of plans (I canâ€™t remember where but ill try and find it although it may have been a sales pitch for 3g phones) for such location information to be sold to advertisers, so that for example should you be near a Mcdonaldâ€™s or such like you get a text voucher offering you some special deal at that particular branch. The text voucher is then exchanged via IR in the McDs hence the advertiser gets paid. The idea being touted was that these vouchers would be tailored to a personal profile! Where the profile comes from I canâ€™t remember or didnâ€™t think to ask. Now I presume you would have to register for such a service if you wanted it but if it came with the usual sort of terms and conditions then I doubt most people would have read them all and you would be sharing a hell of a lot of information about yourself for some most probably minimal benefit. What price a burger?

Something which also concerns me is that as the cost and size of technology such as phones, cameras etc decreases and they become simple to use and set up then possible avenues for abuse grows. So what would have previously been possible but not probable due to cost etc suddenly becomes far more accessible to many more people. For instance disposable mobiles are already available so how long before some one creates a mobile with no screen, keypad or voice capability but with a auto text responding facility and that is set up on your PC. This could be far smaller and therefore easier to conceal and I presume far cheaper than a similar acting GPS device and plenty cheap enough to be considered disposable. Something similar has already been seen with a regular mobile in Scotland see the thread from Saturdays BS. Admittedly it would seem far harder to legislate against this sort of use but it does seem that privacy legislation is playing catchup with technology and I donâ€™t wonâ€™t to be paranoid but it looks set to get worse eg facial recognition systems in town centers, biometric id cards, tracking of all car journeys either by number plate or gps, RFID, Celldar www.guardian.co.uk/mobile/article/0,2763,811034,00.html and more. To use a cliche most (ID cards and car tracking maybe accepted) of this does seem to be creeping in through the back door under some pretext with out serious discussion as to its current or future implications particularly with reference to the maturing of the technology. With the heavily involvement of the private sector and general public access to such location services etc You would think that they need to be covered by more than just a code of conduct. With some serious discussion about about where were going personal privacy.

It would be a good way to find your phone if you left it someware assuming you had planed to leave it somewhere in advance. It’s a little hard to reply to the text message to switch the system on if the phone is lost

pv said,

Because google are everywhere.
If you hate the ads that much then run firefox, install the adblock extension and kill them. Of course that is morally questionable since you are then making use of the content of the site while removing it’s means of funding itself.

When these privacy issues started getting mentioned here I pulled up the logs for my web site. As of last week a whole two people have followed links from here to my site. I was able to trace the IP of one of them back to the point of knowing their employer. The other one went back to a very small phone company which they either worked for or was their ISP. I could also find out their OS and browser (both were IE6 on WinXP) and by checking the version numbers would have had a rough idea of whether they kept their system patched up to date.
My site logs the minimum amount of data and is as non-invasive as possible, trust me, google is the least of your worries online. Obviously doing this by hand takes time and isn’t something that I normally do but it would be easy enough for someone to automate the process.

The truly ironic thing about this site is that each page has a link XHTML at the end which takes you to the W3 web page validator. Running it shows up errors on every single page.

Richard P said,

The coy “the Guardian, rather sensibly, doesnâ€™t want me to tell you any more than that” …about the identity of the website is rendered a little pointless when there is a GoogleAd for just such a tracking service alongside …

pv said,

Andy I don’t thnk Google are the worst thing in the world to worry about by any means. But they are always there, flogging moronic or pointless mobile phone related services or other tat, and it’s bugging me. The place is beginning to resemble the inside of a Central London phone box. Maybe if the ads were a little more subtle and a bit less like the mountains of waste paper you can see poking out of most front door letter boxes in Britain any day of the week, it wouldn’t be so bad.
I was going to say there is no humour in these ads, but Google advertising Yahoo is neat.
Btw, I’m in Italy and I get some adverts in Italian. So they’re not watching me then!

Install an ad filter, miss the comedy, get over yourself, if people pay someone to build an elaborate site, pay the hosting, fill it with content, moderate off the spam, I dont care if they get a few dollars from ads to pay those bills. You UK guys are really tight, and backward, this argument was had on most blogs a year ago. I hope you do a lot of voluntary work!

pv said,

“You UK guys are really tight”.
Another demonstration of two nations divided by a common language. Misty, do you mean “mean with money” or “blind drunk”?
Regarding discussions unknown to me, fortunately I have a life in the real world so I don’t spend all my free time in blogs and forums…
Backward? That’s me! About as un-post-modern as it’s possible to be and very happy about that.
As for getting over myself, these kind of contortions are best left to circus acts, snake oil vendors and theologists.
And yes, the adverts are funny (stupid-funny). I’ve already looked at them. There was humour in my last post too – have you ever seen the inside of a Central London telephone box? But not everyone gets the humour it seems…

GWO said,

Incidentally … G2 ran a section shortly after this article appeared, asking how hard various famous personages studied when they were at University. The consensus was “Not very hard”. It is, apparently, pretty easy to graduate from University without learning any facts, simply by forming interesting opinions.

The great and good included a historian, a philospher, and a great many writers and journalists. Number of scientists polled? Awww, I don’t even have to tell you that. You can see for yourself.

Andrew,
Some ads are by impressions rather than click through, Googleâ€™s are a mixture. Adblock has an option to still download the ads but not display them so that it looks like the advertisement has been viewed to the server but it is off by default.

Misty,
Did I ever say that I blocked them? I don’t, as you said they are funny. Just because I know how to do something please don’t automatically assume that I have taken that action. Us Brits may be uptight and backwards but at least we don’t jump to conclusions and make accusations without any evidence. Well not always. Maybe. I’m sure there are a few people who don’t. Sometimes.

Andy, I was more thinking along the lines of “I just got a mobile phone, I’m going to pay for this service and register right now. So if I happen to lose it in the future, I can track it and reclaim it – in theory”.

If it is stolen then the accuracy isn’t good enough and even if you knew where it was showing up yourself wouldn’t be a good plan. The police or phone company could still trace it in that situation. They wouldn’t but they could.
If you just left it somewhere and you can’t find it by retracing your steps then normally calling it and seeing if someone has picked it up/hears it ring will work. Despite what the press like to tell us most people are honest. The one time I found a phone in a field I called the most recent caller and got the phone back to it’s owner.
If the phone is lost somewhere where there aren’t any people to notice it then the chances are that there aren’t many cell towers in the area and so the accuracy of the loaction fix is going to poor.
True, there are situations where this location service would work better than any other method but, in my opinion at least, not enough to justify signing up. But then I try my best not to lose my phone in the first place

It’s written for a law site, and mentions you aren’t allowed to delete (or possibly even read) someone elses text messages. Doesn’t mention whether following someone’s movements this way (without consent) is, in itself, illegal.

It says:

“An important step required by the Code was not mentioned in the Guardian article: it demands that periodic text messages are sent to the phone. According to World-Tracker’s spokesman, the company complies with this requirement in the Code.”

(They assume it’s this company based on the radio 4 thing mentioned elsewhere, but this might not be the case)

So does this mean that after a week, she didn’t get a text? And if Ben’s girlfriend still has the service running, has she got a text since the Guardian piece? The frequency of the reminder texts may be confidential, but it’s a bit useless using them to protect people from misuse if you can stalk someone for 1 or 2 weeks without them knowing.

The question is, what does the code of practice say about the frequency of the warning texts? The service doesn’t seem too expensive, so we doubt that the recomended frequency would be that often. Does it need to be the company or the code of practice itself that needs to be looked at?

We note that the code of practice recommends much tighter rules on obtaining consent for children than adults. This includes establishing the relatonship between the stalker and stalkee is real and that the stalker has not given a false address. Nice to know that adults are mysteriously immune from needing that extra protection.

Tony Rymer said,

From the conversation I had last week with Paul Nicholson, I think WorldTracker have implemented a system that sends an SMS once a phone is deleted from the service. This message states that the phone has been tracked and gives the owner a chance to investigate any malicious use.

Ben I do think that you made some good points in the interview however I feel the important thing is how the technology providers respond to these criticisms.

Misty said,

Mobile phone tracking, girlfriend stalking and the law
All in a day’s work
By OUT-LAW.com
Published Thursday 2nd February 2006 23:09 GMT
New year, new job? Click here for thousands of tech vacancies.

A service has launched in the UK which allows you to track any mobile phone around the globe and follow its movements from your own computer. The Guardian ran a feature on it yesterday called ‘How I stalked my girlfriend’. It painted a scary picture.

The service is run by World-Tracker, a company based on the Isle of Man. When a mobile number is entered onto the World-Tracker website, a text message is sent to that phone, to ask if the person carrying the phone wishes to be tracked.

If consent is given by reply, World-Tracker will show the location of the mobile phone on a map or as a map reading, using a Google Maps-based interface. The accuracy is between 50 and 500 metres. When the phone moves, the movement can be monitored online whenever the phone is turned on.

The system can be accessed through either a PC or mobile phone with internet access. It works with mobiles on the Vodafone, O2, T-Mobile and Orange networks.

World-Tracker is targeting parents who want to keep an eye on their childrenâ€™s movements; businesses wanting to track their workers; lone workers, who feel more secure if someone else knows where they are; and anyone else who has ever lost a mobile phone â€“ giving reassurance that their phone can be located more easily.

But in yesterday’s Guardian, freelance writer Dr Ben Goldacre revealed a sinister side to the service. (He didn’t name the site in his article; but Dr Goldacre had discussed it previously in a Radio 4 interview in which World-Tracker was also involved).

He signed up â€“ for Â£5 plus VAT â€“ and he provided his girlfriend’s phone number. He lives with her and said he needed her phone for just five minutes to initiate the tracking.

According to his article, the first message read: “Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with ‘LOCATE'” He replied from her phone as instructed and another text arrived: “WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you.”

He deleted these messages and tracking began.

Dr Goldacre has said that he had his girlfriend’s consent for his experiment, conducted in the interests of journalism; but his article portrays a system open to abuse â€“ and according to World-Tracker, Dr Goldacre omitted some vital details about its service.

OUT-LAW spoke to World-Tracker today. It described a quite different service. A spokesman â€“ who did not wish to be named â€“ said the company follows an industry Code of Practice for the use of location data. He pointed out that a breach of the Ofcom-endorsed Code would result in the mobile networks withdrawing their services from World-Tracker.

An important step required by the Code was not mentioned in the Guardian article: it demands that periodic text messages are sent to the phone. According to World-Tracker’s spokesman, the company complies with this requirement in the Code.
The Code of Practice states

“Subsequent to activation, the [location service provider] must send periodic SMS alerts to all locatees to remind them that their mobile phone can be located by other parties. These alerts should be sent at random intervals, not in a set pattern. The suggested text and minimum standard frequency for sending the alerts is set out in Annex D.”

In fact, Annex D is marked confidential: it is only made known to location service providers like World-Tracker, perhaps to minimise the risk of message interception.

Fiona Caskey, an Associate with Pinsent Masons, the law firm behind OUT-LAW.COM, regularly advises companies on data protection issues, including surveillance of employees.

She said that if the company is following the code, it is probably doing all that is necessary to comply with the country’s privacy laws. But unscrupulous boyfriends are taking a risk if they seek to exploit the service.

“If Ben hadn’t obtained his girlfriend’s consent, he’d be breaking the Regulation of Investigatory Powers Act, better known as RIPA,” said Caskey. It is an offence under RIPA to intercept and delete someone else’s text message, she explained. “Such behaviour runs a risk of up to two years’ imprisonment and a fine.”

Perhaps surprisingly, the boyfriend is unlikely to breach the Data Protection Act by his acts. “He could argue that he was doing this for ‘domestic purposes’ â€“ and he’s off the hook,” said Caskey.

Spoke to Drew Cullen at The Register, and the person who wrote the article at Pinsent Masons. Drew was very nice, said he will put this up at the bottom of the piece five minutes after getting it:

It is unfortunate that you did not contact me, or read both of my two
Guardian articles on this subject, or even listen to the Radio 4 piece
you wrote about, before publishing inaccurate criticisms of my stories
raising concerns about what I consider to be a very serious privacy
issue.

You quote an accusation by World Tracker that I “omitted some vital
details about its service”. You go on to say yourself that “An
important step required by the Code was not mentioned in the Guardian
article: it demands that periodic text messages are sent to the
phone.”

This specific matter was discussed at length in the Radio 4 piece
which you unfortunately did not listen to. The answers from Paul
Nicholson of World Tracker at that time were initially confusing and
the reporter chairing the discussion had to come back to him several
times before we could ultimately clarify the issue of how the
follow-up text message warnings worked.

I explained at that time this basic fact: that I have tracked phones
through this service, for several days, and then deleted them from the
World Tracker website, and they have never received these follow-up
warning messages. It is as simple as that. The Radio 4 reporter’s
phone that we also tracked specifically never received any follow up
text messages.

When finally confronted for a response on this matter, Paul Nicholson
of World Tracker said, verbatim: “If that was.. if that was the case
then we obviouslyâ€¦ shouldâ€¦ we obviously will will look at our system
for this better, and, and make sure that a text goes out in a sooner
period.”

I explained my concern that once somebody was deleted off the system
they would never get a follow-up text, and never know that they were
being tracked, and he agreed: “As things stand at the moment no, but
this is something that we should seriously look at.”

It was also clear throughout the Radio 4 interview that the privacy
concerns that I was raising were issues that Paul Nicholson of World
Tracker had not fully considered beforehand. He even said: “From what
Dr Goldacre is saying I am going to take this away and we are going to
look into this a lot deeper.”

The security provisions that World Tracker currently have in place
present no barrier whatsoever to somebody tracking a phone undetected,
exactly as I described in my piece, and there was no wilful omission
of information from my article.

I am extremely disappointed that you did not listen to the Radio 4
piece that you write about, or contact me, before publishing these
criticisms of my article. Since my email address appears at the bottom
of every single one of my 150
weekly Guardian columns, in which this story first appeared, I do not
believe that anybody could have any difficulty in contacting me.

Lastly, for my own part, I was initially reassured that Paul Nicholson
of World Tracker was taking these privacy concerns seriously, and
looking at changing their systems. Now that they seem to be denying
the problems I have identified with their system, I am once again
extremely concerned.

This is the register we are talking about. It’s not like it’s a site that anyone takes too seriously.
They left details out of the story, so did the article in the Guardian on the 1st. Yes those details are in the radio 4 show and the other Guardian story but there will be a large number of people who will only see the most recent story.
I haven’t noticed any gross factual errors anywhere so this simply strikes me as normal journalistic bias. Something that should be taken for granted in anything that is on the register.

Misty said,

Well, hang on though, they do say that Goldacre withheld information to make the story better, when he didn’t:

â€œGoldacre omitted some vital details about its serviceâ€ is a quote from World-tracker, for which they are liable as they published it.

â€œAn important step required by the Code was not mentioned in the Guardian article: it demands that periodic text messages are sent to the phone.â€

There was no reason to mention that, as it does not happen in the way world-tracker claim anyway, and so it was completely irrelevant to the story.

What I find strange is that the Register wrote a nitpicking (and inaccurate) story about whether the Guardian article was legal, or accurate, instead of running a story about how it’s possible to track people through their mobile phones.

Struan Robertson (of Pinsent-Masons and “OUT-LAW”) has agreed to this correction on their site and on The Register article.

Ben Goldacre replies…

Dr Goldacre contacted OUT-LAW with the following comments:

“You quote an accusation by World Tracker that I ‘omitted some vital details about its service’. You go on to say that ‘An important step required by the Code was not mentioned in the Guardian article: it demands that periodic text messages are sent to the phone.'”

Dr Goldacre says he told a World-Tracker representative on last Friday’s Radio 4 interview that he had tracked phones through World-Tracker’s service for several days, and then deleted them from the World Tracker website – “and they have never received these follow-up warning messages. It is as simple as that. The Radio 4 reporter’s phone that we also tracked specifically never received any follow up text messages.”

When confronted for a response on this matter, Dr Goldacre says the World-Tracker representative replied that he would “look at our system” and “make sure that a text goes out in a sooner period.”

Dr Goldacre continues: “I explained my concern that once somebody was deleted off the system they would never get a follow-up text, and never know that they were being tracked, and he agreed: ‘As things stand at the moment no, but this is something that we should seriously look at.'”

He concludes: “The security provisions that World Tracker currently have in place present no barrier whatsoever to somebody tracking a phone undetected, as I described in my piece, and there was no wilful omission of information from my article.”

We have notified World-Tracker that this story has been amended and suggested that they communicate directly on this matter.

OUT-LAW did not listen to the Radio 4 interview and we did not speak with Dr Goldacre before reporting the comments made by World-Tracker. We apologise for any offence caused to Dr Goldacre as a result of these omissions.

Sheesh. Thanks for that. If anybody ever wants to write something about my articles, they are more than welcome to contact me, I must be just about the easiest journalist in Britain to get hold of.

From the conversation I had last week with Paul Nicholson, I think WorldTracker have implemented a system that sends an SMS once a phone is deleted from the service. This message states that the phone has been tracked and gives the owner a chance to investigate any malicious use.

Ben I do think that you made some good points in the interview however I feel the important thing is how the technology providers respond to these criticisms.

I am honestly relieved to hear that World Tracker may be clearing up some of these problems, although in my opinion World Tracker are not the problem, the code itself is not tight enough.

At the bottom of this is the fact that I was able to track peoples location, pure and simple, exactly as I described, without them ever being made aware of that fact by the tracking system. There’s no more to it than that. I think it’s a matter of serious public concern, and I am equally concerned that The Register should throw doubt on that story without going to the simple bother of checking it out for themselves.

Homeopath said,

Unimpressed said,

This is all a bit hysterical. I don’t care a fig whether the story’s straight or crooked, it’s neither surprising nor particularly worrying. Phones have been trackable for a long while, and cars won’t be far behind. The legality of it affects nothing more than the price – anecdotal evidence suggests that private investigators aren’t getting any fitter.

Fundamentally, the problem isn’t so much that things work in ways we don’t understand. It’s the fact that, unsurprisingly, information leaks (as per the second law of thermodynamics), and always has done. If secret stuff can leak out of Number Ten or Mastercard, then it can leak out of anywhere (and not always on purpose). And sometimes, it’s not even secret. It was well after the Data Protection Act happened that the Government was forced, reluctantly, to stop flogging your name and address to anyone who asked, and that’s only if you tick a box you’re politely discouraged from ticking. If you carry something that can be traced, whether it’s a smart ticket or an active mobile phone or a loyalty card or a bank card or, in the nearish future, your face, then you should expect it to be tracked.

There are supposed to be regulations, but, like so many, they’re clearly unworkable. Take the Oyster Card system (London Transport’s smart tickets). The operators claim only to store identifiable journey information for two months, and then it’s humanely destroyed. But I’d like to see them prove it.

amenabletopasta said,

“The phone canâ€™t be tracked when off. The tracking works measuring the signal strength at several base stations and triangulating the position. This works because the phone is sends a signal periodically to the network so that it can easily be located when there is a call.
When off the phone does not send these signals and so canâ€™t be tracked.”

Paul Whittaker said,

‘the Guardian, rather sensibly, doesnâ€™t want me to tell you any more (about the website)’. Took me 2 minutes to find the webiste offering tracking services. In the Google age its either silence or complete openness.

Roy Badami said,

Even better, if your girlfriend had an older, buggy, mobile phone, and she had bluetooth enabled, you could have hacked into her phone and responded to and deleted the text message without ever touching it.

I believe this has been demonstrated…

Delster said,

i’ve come into this conversation quite late but nobody has mentioned the fact that the first message recieved on the girlfriends phone was to add to a “Buddy List”??? WTF!

it’s not till after that one was replied too that it mentions tracking the phone, by which point the service is running. Surely the first text should go along the lines of “Mr. X would quite like to know where you are all the time to allow him to stalk you more easily” ok so possibly not quite that wording but it should explain what it’s actually asking you to agree to.

I’m a telecoms engineer and, trust me on this, a lot of people would have no idea how to go about getting a service like that removed after they have agreed to be a buddy….

Peewee said,

This really is no big deal in the grand scheme of things. Nearly _all_ forms of remote service use a physical device or token (computer, phone, smart-card on a credit-card etc..) as a means of authenticating the user — and rarely (although for secure applications this is becoming more common) a private secret piece of information known only by the authentic user (eg a PIN). Here are some every day examples:

– Lost password on a web site. If you have lost your password for registered access to a web site, the standard protocol is to assume that only the real user of the site has access to the email address with which they registered. Nearly all home users configure their mail browser to save their POP3 password. So I bet you could access all of your girlfriend’s password-restricted sites if you wanted as well.

– Pre-CHIP&PIN card transactions. The main proof of authentic use of the account used to be possession of the credit-card itself. Nobody checked signatures. If you left your credit card lying around then somebody could pretend to be you.

– Car keys. If you leave your car keys lying around somebody could take your car – commit a speeding offence without your knowledge – and then you would be liable for it!!

– Ordering a pizza. The pizza company will verify that you are who you claim to be by using caller-id on the phone. This means that somebody you trust to have physical access to your phone can order a pizza to be delivered to your house without your consent.

etc.. etc..

Whoaaaa! Scarey! Call Liberty!

The very simple principle to learn here is that if you don’t trust the people around you who have everyday access to, eg your wallet, your mobile phone, your computer, your keys- then take steps to secure them! Keep your wallet with you at all times. Similarly with your mobile phone stupid! If you don’t trust cohabitees not to abuse your identify online then put your PC in a locked-room or at the very least put a BIOS password on it. And don’t leave the keys or the password lying around like you did with your mobile you idiot!

These are not big mysteries about modern technology that are imposed upon innocent people by big companies. These are the usual ravings of a technologically clueless older generation that has ceased to understand modern ubiqiotious technology and then whinges incesenstently about it.

Peewee said,

It really does not take a genuis to realise that somebody in possession of your phone can pretend to be you in several ways. For example, the SMS protocol makes no steps to authenticate the sender to the receiver beyond the address of the sending phone…. So.. therefore… you could send text messages proporting to be from your girlfriend when they are in fact from Mr Goldacre. You could play havoc with somebody’s life this way by sending texts to work colleagues etc.. if you so desired. Secondly, they can run up bills on your account.

The common sense conclusion is obvious. Regardless of location services, if you don’t trust people with physical access to your phone then secure it. Eg Put a PIN on it. Keep it with you. This applies regardless of what extra non-telephony services are available on your phone network and is just plain common sense.

It’s no different from your car keys. Your car keys give you access to a potentially lethal weapon. Your car is tracked around the country by its number plates. The technology exists to require that your car asks for a PIN to be entered instead of just assuming that the key-holder is a legitimate driver- yet this is not the case. Why is this no big deal? Because people realise that they need to keep keys safe.

A mobile phone and a desktop PC are just other forms of ‘key’- and it really isn’t hard to work this out!

Shehzad A. Yazdani said,

thebaron said,

On Peewee:
“These are the usual ravings of a technologically clueless older generation that has ceased to understand modern ubiqiotious technology and then whinges incesenstently about it”
Older generation: I guess that’s me (I hope not “technologically clueless”, but that may be self-delusion).
I’m even old enough to know how to spell “ubiqiotious” correctly. However, what does “incesenstently” signify :
(1) incessantly
(2) insistently
(3) incensedly
I numbered the alternatives so you won’t have to waste your (young?) technopacked brain on such an obsolete task, viz. decent spelling.

Kess said,

That’s so funny, it really is a complete copy of my article. I particularly like the bit where they get an “independent technology expert in” to talk about it.

Obviously there are no intellectual property laws about that kind of thing, nor should there be, and telly people generally think their “research” is “taking stories from print”.

But having said that, if I worked making filler telly, and a good story came up in print that I was going to copy, I’d get in the person who did the story I was copying, on the simple pragmatic grounds that they’d obviously have expertise and probably more material on the same subject.

Heh:

Guy did not know that when I borrowed his phone for a few minutes earlier in the day, I took the opportunity to register it on one of the tracking services.

I received the incoming text message warning him about the tracking, responded to it and then deleted it from his inbox.

When I gave him his phone back, Guy had no idea he was now in possession of a consenting tracking device.

Hence, a little while later, I could watch him emerge from the tube at the start of his tour.